LG Köln - 13 K 278/21: Difference between revisions

From GDPRhub
mNo edit summary
mNo edit summary
 
(2 intermediate revisions by 2 users not shown)
Line 62: Line 62:
}}
}}


The German federal administration sent documents with special categories of data to the wrong person. A court held the controller responsible for violating the GDPR and ruled a compensation of €1,000 on the basis of [[Article 82 GDPR#1|Article 82(1) GDPR]].
A German federal administration sent documents with special categories of data to the wrong recipient. A court held the controller responsible for violating Article 9 GDPR and ruled a compensation of €1,000 on the basis of [[Article 82 GDPR#1|Article 82(1) GDPR]].


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject was a federal civil servant who applied for assistance from the controller, the German Federal Administrative Office. The data subject attached to his application 13 copies of receipts with special categories of personal data – in particular information about his health.  
The data subject was a federal civil servant who applied for assistance from the controller, the German Federal Administrative Office. The data subject attached to his application 13 copies of receipts with special categories of personal data – in particular information about his health. The receipts included nine invoices and statements from various specialist doctors in 2019, detailing the individual services provided and, in some cases, including diagnostic information, along with four prescriptions for medications.  


The receipts included nine invoices and statements from various specialist doctors in 2019, detailing the individual services provided and, in some cases, including diagnostic information, along with four prescriptions for medications.
The controller should have returned the copies to the data subject, but due to an administrative error, the data subject received the copies concerning a third person and the data subject´s receipts were also accidentally sent to a third person. After the controller got back the receipts from the third person, they were eventually sent to the data subject.  
 
The controller should have returned the copies to the data subject, but due to an administrative error, the data subject received the copies from a third person and the data subject´s receipts were also accidentally sent to a third person. After the controller got back the receipts from the third person, they were eventually sent to the data subject.  


Due to this error, health data of the data subject was disclosed to a third person, without any legal ground. This violated the data subject's general right of personality and his right to informational self-determination. Therefore, the data subject claimed €3,000 as compensation for damages pursuant to [[Article 82 GDPR|Article 82(1) GDPR]].
Due to this error, health data of the data subject was disclosed to a third person, without any legal ground. This violated the data subject's general right of personality and his right to informational self-determination. Therefore, the data subject claimed €3,000 as compensation for damages pursuant to [[Article 82 GDPR|Article 82(1) GDPR]].
Line 78: Line 76:
The court found the disclosure unlawful as occurred in violation of Article 9(1) GDPR. In the quantification of damages the court ruled the following.
The court found the disclosure unlawful as occurred in violation of Article 9(1) GDPR. In the quantification of damages the court ruled the following.


First, there was nothing to indicate that the data were made known to other persons, except for the wrong recipient. In this respect, it could be assumed that the risk of further dissemination of the data subject's health data by the third party did not materialize. The controller immediately demanded the return of the receipts from the third party and returned them to the data subject after it had noticed the incorrect dispatch.
First, there was nothing to indicate that the data were made known to other persons, other than the known (wrong) recipient. In this respect, it could be assumed that the risk of further dissemination of the data subject's health data by the third party did not materialize. The controller immediately demanded the return of the receipts from the third party and returned them to the data subject after it had noticed the incorrect dispatch.


Further, the court held that the incorrect dispatch of the aid vouchers was only due to simple negligence; the court did not find any gross negligence or intent in the unlawful disclosure.
Further, the court held that the incorrect dispatch of the aid vouchers was only due to simple negligence; the court did not find any gross negligence or intent in the unlawful disclosure.


Finally, there was also no risk of repetition. According to the controller, the misdirection was a one-time exceptional case. The controller also changed the way it handles the documents sent in. The aid notifications are now sent without supporting documents and all supporting documents provided are destroyed in the aid office in line with data protection requirements. A violation of [[Article 9 GDPR]] similar to the present case was thus ruled out for the future.  
Finally, there was also no risk of repetition. According to the controller, the misdirection was a one-time exceptional case. The controller also changed the way it handles the documents sent in. The aid notifications were now sent without supporting documents and all supporting documents provided were now destroyed in the aid office in line with data protection requirements. A violation of [[Article 9 GDPR]] similar to the present case was thus ruled out for the future.  


In addition, the court noticed how the controller called in the responsible data protection officer.
In addition, the court noticed how the controller called in the responsible data protection officer.

Latest revision as of 11:27, 2 August 2023

LG Köln - 13 K 278/21
Courts logo1.png
Court: LG Köln (Germany)
Jurisdiction: Germany
Relevant Law: Article 9(1) GDPR
Article 82(1) GDPR
Decided: 23.02.2023
Published:
Parties:
National Case Number/Name: 13 K 278/21
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): German
Original Source: OpnJur (in German)
Initial Contributor: Sara Horvat

A German federal administration sent documents with special categories of data to the wrong recipient. A court held the controller responsible for violating Article 9 GDPR and ruled a compensation of €1,000 on the basis of Article 82(1) GDPR.

English Summary

Facts

The data subject was a federal civil servant who applied for assistance from the controller, the German Federal Administrative Office. The data subject attached to his application 13 copies of receipts with special categories of personal data – in particular information about his health. The receipts included nine invoices and statements from various specialist doctors in 2019, detailing the individual services provided and, in some cases, including diagnostic information, along with four prescriptions for medications.

The controller should have returned the copies to the data subject, but due to an administrative error, the data subject received the copies concerning a third person and the data subject´s receipts were also accidentally sent to a third person. After the controller got back the receipts from the third person, they were eventually sent to the data subject.

Due to this error, health data of the data subject was disclosed to a third person, without any legal ground. This violated the data subject's general right of personality and his right to informational self-determination. Therefore, the data subject claimed €3,000 as compensation for damages pursuant to Article 82(1) GDPR.

Holding

The court found the disclosure unlawful as occurred in violation of Article 9(1) GDPR. In the quantification of damages the court ruled the following.

First, there was nothing to indicate that the data were made known to other persons, other than the known (wrong) recipient. In this respect, it could be assumed that the risk of further dissemination of the data subject's health data by the third party did not materialize. The controller immediately demanded the return of the receipts from the third party and returned them to the data subject after it had noticed the incorrect dispatch.

Further, the court held that the incorrect dispatch of the aid vouchers was only due to simple negligence; the court did not find any gross negligence or intent in the unlawful disclosure.

Finally, there was also no risk of repetition. According to the controller, the misdirection was a one-time exceptional case. The controller also changed the way it handles the documents sent in. The aid notifications were now sent without supporting documents and all supporting documents provided were now destroyed in the aid office in line with data protection requirements. A violation of Article 9 GDPR similar to the present case was thus ruled out for the future.

In addition, the court noticed how the controller called in the responsible data protection officer.

For this reasons, the court set the compensation at €1,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

VG Cologne, judgment of February 23, 2023 - 13 K 278/21
reference
openJur 2023, 7089

    Rkr:

tenor

The defendant is sentenced to pay the plaintiff EUR 1,000.00 plus interest of 5 percentage points above the respective base interest rate since July 24, 2019.

Furthermore, the defendant is sentenced to pay the plaintiff EUR 81.68 plus interest of 5 percentage points above the respective base interest rate since October 22, 2020.

Moreover, the application is dismissed.

The plaintiff bears 2/3 of the costs of the proceedings and the defendant bears 1/3.

The judgment is provisionally enforceable. The respective enforcement debtor can avert enforcement against security in the amount of 110% of the amount enforceable on the basis of the judgment, if the respective enforcement creditor does not provide security in the amount of 110% of the amount to be enforced in each case before enforcement.

The appeal is allowed.
facts

The parties involved are arguing about the amount of a claim for damages under Article 82 (1) of Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR -).

The plaintiff was a federal officer. On March 23, 2019, he applied to the Federal Office of Administration of the defendant for aid, enclosing 13 copies of receipts. The Federal Office of Administration then issued an aid decision on March 29, 2019. With the decision, the plaintiff did not receive back the documents he had previously submitted, but rather those of a third party. The receipts submitted by the plaintiff were themselves sent to the third party due to an administrative oversight by the Federal Office of Administration. After the Federal Office of Administration had requested the receipts from the third party, it sent them to the plaintiff. The plaintiff's aid receipts included nine invoices and liquidations from various specialists from 2019, listing the individual services and, in some cases, naming diagnoses, as well as four prescriptions for medication.

In a letter dated July 9, 2019, the plaintiff asserted a claim for damages against the Federal Office of Administration in accordance with Art. 82 GDPR and requested the Federal Office of Administration to recognize the merits of the claim by July 23, 2021 and to make a payment of EUR 1,000 for the expected compensation for pain and suffering. In a letter dated November 8, 2019, the plaintiff renewed his request with a deadline of November 29, 2019. The Federal Office of Administration did not react to this.

On May 15, 2020, the plaintiff brought an action before the District Court of Düsseldorf, which was served on the defendant on October 21, 2020. With a decision of December 2, 2020, the district court of Düsseldorf declared legal recourse to the ordinary courts to be inadmissible and referred the proceedings to the adjudicating court.

The plaintiff is of the opinion that he is entitled to compensation for pain and suffering under Art. 82 (1) GDPR because his aid receipts were sent incorrectly to the third party. The incorrect delivery constitutes a serious breach of the GDPR. The medical bills contained reports and diagnoses that allowed conclusions to be drawn about his state of health and his clinical pictures. The data is particularly sensitive. The Federal Office of Administration is also to blame for the incorrect delivery. This violates his general personality rights and his right to informational self-determination. A compensation for pain and suffering in the amount of 3,000 euros is appropriate.

The plaintiff requests

to order the defendant to pay him an appropriate compensation for pain and suffering, the amount of which is at the discretion of the court, together with interest of 5 percentage points above the respective base interest rate since July 24, 2019,

further order the defendant to pay the plaintiff out-of-court attorney's fees of EUR 179.27 plus interest of 5 percentage points above the respective base interest rate since lis pendens.

The defendant requests

reject the complaint.

The plaintiff did not sufficiently demonstrate an immaterial damage item. Apart from that, when assessing the compensation for pain and suffering, it must be taken into account that the mix-up of the aid documents was a one-off exceptional case. At best, the Federal Office of Administration is charged with slight negligence, since it was a matter of momentary human error in the context of mass administration. Identical circumstances are excluded for the future; the Federal Office of Administration has changed its processes so that the aid receipts are no longer sent back but destroyed in accordance with data protection regulations. After the mix-up had been noticed, the Federal Office of Administration immediately demanded the receipt of the aid back from the third party and then returned it to the plaintiff. The plaintiff was fully informed about the mix-up. The official data protection officer was also informed about the process. Finally, it should be borne in mind that the plaintiff's data only became known to a single person unknown to the plaintiff. Neither a larger group of recipients nor his personal environment learned of the data.

The defendant is of the opinion under what conditions and to what extent a claim for monetary compensation can be accepted under Art. 82 (1) GDPR has so far been generally open. She suggests submitting the case to the European Court of Justice or at least suspending the proceedings. In particular, it is questionable how the concept of damage is to be understood according to Art. 82 (1) GDPR and which presentation requirements would apply in this respect.

The parties have waived the holding of an oral hearing.

For further details of the facts and the dispute, reference is made to the content of the court files and the administrative processes involved by the defendant.
reasons

The lawsuit, on which the court was able to decide in accordance with Section 101 (2) of the Administrative Court Code (VwGO) with the consent of the parties involved without an oral hearing, was only partially successful.

I

The lawsuit is admissible. With regard to the legal process, the court is bound by the referral decision of the District Court of Düsseldorf of December 2, 2020, Section 17a (2) sentence 3 of the Courts Constitution Act (GVG). This decision is also not obviously incorrect or lacks any legal basis,

cf. Federal Administrative Court (BVerwG), decision of March 17, 2010 - 7 AV 1.10 -, juris para. 7; Federal Labor Court (BAG), decision of January 4, 1993 - 5 AS 12/92 -, juris para. 12.

The court is of the opinion that legal recourse to the administrative courts is not open in the present case. According to § 40 paragraph 1 sentence 1 VwGO, administrative recourse is given in all public law disputes of a non-constitutional nature, unless the disputes are expressly assigned to another court by federal law. For pecuniary claims from sacrifice for the common good and from public custody as well as for claims for damages from the violation of public law obligations that are not based on a public law contract, the ordinary legal process is given, § 40 paragraph 2 sentence 1 1st half sentence VwGO. The present case is about claims for damages, for which civil litigation is open.

A jurisdiction of the administrative courts also does not follow from Art. 82 (6) in conjunction with Art. 79 (2) GDPR. Art. 82 (6) GDPR refers to Art. 79 (2) GDPR with regard to responsibility. According to this, the courts of the Member State in which the person responsible or the processor has a branch have jurisdiction for lawsuits against a person responsible or against a processor (sentence 1). Alternatively, such lawsuits can also be brought before the courts of the Member State in which the person concerned has their habitual residence, unless the person responsible or the processor is an authority of a Member State that has acted in the exercise of its sovereign powers (sentence 2). However, the provision only regulates international or local jurisdiction. Further (domestic) jurisdiction results from national law. This follows on the one hand from the terms "branch office" or "habitual residence", which do not give any indication of factual responsibility or jurisdiction and on the other hand from the connection with Section 44 Paragraphs 1 and 2 of the Federal Data Protection Act (BDSG). The provision transfers the international jurisdiction rules on a one-to-one basis to domestic local jurisdiction for civil claims. This was necessary for the implementation of Art. 79 (2) GDPR, so that the choice made by the person concerned with regard to the place of action is also made possible domestically. This also applies solely to local jurisdiction. In the event of a lawsuit against an authority that has acted in the exercise of its sovereign powers, the local jurisdiction, in the absence of applicability of Section 44 BDSG (cf. Section 44 (2) BDSG), is based on the procedural regulations of the specialist courts. However, there is no factual responsibility or even an assignment of legal recourse,

cf. Quaas, in: Wolff/Brink, BeckOK data protection, 42nd edition, status: August 1, 2022, Art. 82 para. 46 ff.; Nemitz, in: Ehmann/Selmayr, GDPR 2nd edition 2018, Art. 82 para. 32; Franzen, in: ibid./Gallner/Oetker, Commentary on European Labor Law, 4th edition 2022, Art. 82 EU (VO) 2016/679 para. 26; specifically on Section 44 (2) of the Federal Data Protection Act, BTDrucks 18/11325 of February 24, 2017, p. 110; a. A. Frenzel, in: Paal/Pauly, DSGVO, BDSG, 3rd edition 2021, Art. 82 para. 18; It is also disputed whether Art. 34 sentence 3 GG already applies, but the Hessian State Social Court (LSG Hessen), decision of January 26, 2022 - L 6 SF 7/21 DS -, juris para. 22 et seq.; on the other hand, Federal Fiscal Court (BFH), decision of June 28, 2022 - II B 93/21 -, juris para. 12 ff.

The jurisdiction of the administrative courts also does not follow from the fact that they are responsible for complaints under Article 79 (1) GDPR regarding official violations of the General Data Protection Regulation in accordance with Section 40 (1) sentence 1 VwGO as a public law dispute (domestic). The view taken on this, which as a consequence of Art. 82 (6) GDPR sees the same (domestic) court jurisdiction for the right to damages as for all other claims against the person responsible or processor, is not convincing,

cf. Boehm, in Simitis/Hornung/Spiecker, DSGVO, 1st edition 2019, Art. 82 para. 37.

The reference in Art. 82 (6) GDPR to Art. 79 (2) GDPR only covers the question of the jurisdiction of the Member State (prior to domestic jurisdiction), which is governed by Art. 79 (2) GDPR. According to Art. 82 (6) GDPR, the courts that have jurisdiction under the legal provisions of the Member State referred to in Art. 79 (2) GDPR are to deal with court proceedings to claim the right to compensation. The (domestic) jurisdiction is therefore based on the law of the member state whose courts have jurisdiction under Art. 79 (2) GDPR. This follows clearly from the English version of the GDPR, which states: "Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79 (2)", Art. 82 (6) GDPR. Another content, according to which the reference in Art. 82 (6) GDPR is intended to prevent different courts from deciding on the violation of the GDPR as such and on the compensation for damages, cannot be inferred from it. Rather, it is not alien to the German legal system for the same facts to be judged in different courts.

Art. 82 (2) and Art. 79 (2) GDPR alone determine which Member State is responsible and therefore which national legal system applies.

However, the decision of the District Court of Düsseldorf is not obviously incorrect or lacking any legal basis. The controversial issue of legal recourse for lawsuits against authorities under Art. 82 GDPR has not yet been sufficiently clarified in case law. The legal dispute undoubtedly also has links to public law; the disputed claim for damages is directed against the Federal Office of Administration, which acted in the exercise of its sovereign powers when the damage occurred,

cf. Nemitz, loc.cit., Art. 79 para. 4 f.

II.

The lawsuit is only partially justified.

The plaintiff is entitled to compensation of EUR 1,000 from the defendant.

This claim is based on Art. 82 Para. 1, Para. 2 Sentence 1, Para. 3 GDPR. According to Art. 82 (1) GDPR, any person who has suffered material or immaterial damage as a result of a violation of the General Data Protection Regulation has a claim for damages against the person responsible, among other things. Each person responsible for processing is liable for the damage caused by processing that does not comply with this regulation, Art. 82 (2) sentence 1 GDPR. The person responsible is released from liability if he proves that he is in no way responsible for the circumstance that caused the damage, Art. 82 para. 3 GDPR.

These conditions are given in the present case. The plaintiff is entitled to claim as "every person" and the Federal Office of Administration of the defendant is obliged to claim as the "responsible person". According to Art. 4 No. 7 half-sentence 1 GDPR, the person responsible is the natural or legal person, authority, institution or other body that alone or jointly with others decides on the purposes and means of processing personal data. The plaintiff's aid receipts contain information about the plaintiff and thus personal data within the meaning of Art. 4 No. 1 GDPR. The Federal Office of Administration processed this data within the meaning of Art. 4 No. 2 GDPR and made independent decisions with regard to the purposes and means.

In any case, the Federal Office of Administration violated Art. 9 (1) GDPR when processing the plaintiff’s personal data. The aid receipts are not just (simple) personal data, but particularly sensitive health data within the meaning of Art. 4 No. 15, Art. 9 (1) GDPR. Sending this health data to a third party was prohibited by law. There is no reason for exception; in particular, the plaintiff did not expressly consent to the sending, Article 9 (2) (a) GDPR.

Because of this violation, the plaintiff suffered immaterial damage. Art. 82 para. 1 GDPR expressly covers not only material but also immaterial damage. As can be seen from recital 146 sentence 3 of the GDPR, the concept of damage is to be interpreted broadly. Recital 75 GDPR cites as examples of damage discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality of personal data subject to professional secrecy, unauthorized removal of pseudonymisation or other significant economic or social disadvantage. In addition, the processing of personal data revealing racial or ethnic origin, political opinions or religious or philosophical beliefs, as well as genetic data, health data or data relating to sex life or criminal convictions is to be considered damage.

The inadmissible sending of the plaintiff's aid receipts to the third party - which is now undisputed between the parties involved - causes non-material damage. This corresponds to the broad understanding of damage by the European legislator and corresponds to the assessments of recital 75 of the GDPR. The fact that the plaintiff did not specify this damage in more detail in the present case is irrelevant. The disadvantages it has suffered are obvious and require no further explanation. Immaterial damage is already based on the fact that the third party inevitably took a look at the plaintiff's aid documents due to the incorrect dispatch by the Federal Office of Administration. This health data is subject to special protection in accordance with Art. 9 Para. 1 GDPR. They contain information about the narrower private sphere up to the private sphere of the plaintiff. Their disclosure to the third party leads to a loss of confidentiality and embarrassment for the person concerned,

cf. Nemitz, loc.cit., Art. 82 para. 13.

The fact that the disclosure was made to a single person previously unknown to the plaintiff does not preclude the assumption of exposure. In addition, there is the risk inherent in disclosure that the third party will disseminate the sensitive data to the detriment of the plaintiff.

The defendant has also not proved that the Federal Office of Administration was in no way responsible for the circumstances of the occurrence of the damage, Art. 82 Para. 3 DS-GVO. Rather, the plaintiff's incorrect dispatch of the aid receipts was based on an clerical error in the post office of the Federal Office of Administration and thus on negligence. The defendant must accept responsibility for this negligence on the part of the acting employee,

cf. Quaas, loc.cit., Art. 82 para. 18 f. with further references.

To what extent Art. 82 Para. 1 GDPR also requires that the damage exceeds a minor or significant threshold,

cf. Federal Constitutional Court (BVerfG), decision of January 14, 2021 - 1 BvR 2853/19 -, juris para. 19 f.; Regional Court (LG) LG Saarbrücken, ECJ submission of November 22, 2021 - 5 O 151/19 -, juris para. 46 ff. (Question 1); for this, the Higher Regional Court (OLG) Dresden, judgment of November 30, 2021 - 4 U 1158/21 -, juris para. 11; Frenzel, loc.cit., Art. 82 para. 10; Franzen, loc.cit., Art. 82 para. 22; on the other hand OLG Frankfurt, judgment of March 2, 2022 - 13 U 206/20 -, juris para. 59 ff.; LG Düsseldorf, judgment of October 28, 2021 - 16 O 128/20 -, juris para. 37; LG Munich I, judgment of December 9, 2021 - 31 O 16606/20 -, juris marginal note 40; Quaas, loc.cit., Art. 82 para. 25 et seq.; Buchner/Wessels, ZD 2022, 251, 254, each also with reference,

no decision is required in this case. Because the immaterial damage suffered by the plaintiff turns out to be considerable. The impairments suffered by the plaintiff go beyond a mere uneasy feeling or the vague feeling of a loss of control. The aid receipts provide information about numerous medical appointments made by the plaintiff in the first quarter of 2019 in various medical specialties. They enable a far-reaching insight into the plaintiff's symptoms, which can be derived from the services recorded on the doctor's bills and the diagnoses, which relate to both the psychological and the physical area. Knowledge of the plaintiff's health data could easily be used by the third party to discredit the plaintiff in his professional, social or private environment; this applies in particular to the psychiatric treatment of the plaintiff at the beginning of March 2019.

With regard to the amount of immaterial damage, the court considers an amount of EUR 1,000.00 to be appropriate, but also sufficient. The determination of the amount of damage is the responsibility of the court - in the absence of relevant Union law provisions - according to § 173 sentence 1 clause 1 VwGO in conjunction with § 287 paragraph 1 sentence 1 ZPO. The court must decide on the amount of damage, taking into account all the circumstances, based on free conviction,

see BAG, judgment of May 5, 2022 - 2 AZR 363/21 -, juris para. 12 et seq.; Quaas, loc.cit., Art. 82 para. 31.

According to recital 146 sentence 6 GDPR, the data subjects should receive full and effective compensation for the damage suffered within the framework of Art. 82 (1) GDPR. The amount of the immaterial damages must be based on its functions, namely the compensation function and the satisfaction function. The question of whether the claim for damages also has a deterrent function was submitted by the Federal Labor Court to the European Court of Justice for a preliminary ruling,

cf. Nemitz, loc.cit., Art. 82 para. 18; OLG Koblenz, judgment of May 18, 2022 - 5 U 2141/21 -, juris para. 82 ff.; specifically on the question of the deterrent function BAG, ECJ submission of August 26, 2021 - 8 AZR 253/20 (A) -, juris para. 32 ff. (Question 4).

The criteria of Art. 83 Para. 2 GDPR can be used to assess the immaterial damages. This includes, inter alia, the nature, gravity and duration of the breach, the intentional nature or negligence of the breach, any measures taken by the controller to mitigate the harm caused to data subjects, any relevant previous breaches by the controller, the extent of cooperation with the supervisory authority to remedy the breach and mitigate its possible adverse effects, the categories of personal data affected by the breach and any other aggravating or mitigating circumstances in each case,

See LG Saarbrücken, decision of November 22, 2021 - 5 O 151/19 -, juris para. 30 et seq. (Question 3); as here LG Cologne, judgment of May 18, 2022 - 28 O 328/21 -, juris para. 34; LG Essen, judgment of September 23, 2021 - 6 O 190/21 -, juris para. 52; Quaas, loc.cit., Art. 82 para. 31; Paal/Aliprandi, ZD 2021, 241, 246.

After weighing the relevant aspects, the court considers a payment of damages in the amount of EUR 1,000.00 to be appropriate and sufficient. This amount of money compensates for the non-material damage suffered by the plaintiff. The amount takes into account, to the detriment of the defendant, that the incorrectly sent data was particularly sensitive health data of the plaintiff within the meaning of Art. 9 (1) GDPR. In this respect, the violation is particularly serious. The plaintiff is not guilty of contributory negligence. However, it should be considered as a mitigating factor that the data was only disclosed to a single person unknown to the plaintiff due to the incorrect dispatch. There is no evidence that the data was made known to other persons. In this respect, it can be assumed that the risk of the plaintiff's health data being passed on by the third party did not materialize. Insofar as this risk still persists after the aid receipts have been returned, the court considers it to be extremely low. The Federal Office of Administration immediately reclaimed the aid receipts from the third party and returned them to the plaintiff after noticing the incorrect dispatch; The plaintiff did not counter the corresponding arguments of the defendants. The plaintiff has not explained to the court any personal consequences that go beyond the loss of confidentiality and the exposure, which are already generally recognized. In this respect, the consequences of the violation for the plaintiff are limited.

In contrast, the satisfaction function of the claim for damages is irrelevant in this case. The incorrect dispatch of the aid receipts is based on simple negligence; the court does not recognize gross negligence or even intent.

In this case, the compensation for damages does not have to fulfill a deterrent function either, so that it does not matter whether such a function is to be recognized at all within the framework of Art. 82 (1) GDPR. After all, there is no risk of repetition. According to the Federal Office of Administration, the incorrect shipment was a one-off exceptional case. The Federal Office of Administration has also changed the way in which the documents sent in are handled. The aid notifications are now sent without receipts and all the documents provided are destroyed in the aid office in accordance with data protection regulations. A violation of Art. 9 GDPR similar to the present case is therefore excluded for the future. In addition, the defendant called in the responsible data protection officer.

Finally, the determined amount of damage of 1,000.00 euros is also appropriate in a comparative view of the compensation for pain and suffering previously awarded by the civil and labor courts according to Art. 82 Para. 1 GDPR. Significantly higher amounts of 2,000.00 euros to 5,000.00 euros have been awarded if serious intentional violations of the GDPR were involved, such as the collection and transmission of employee data in a clinic, identity theft or being spied on by a detective agency. Significantly lower amounts of around EUR 500.00 have so far been awarded if the violation concerned less sensitive data, such as the incorrect sending of an account statement,

cf. LAG Hamm, judgment of December 14, 2021 - 17 Sa 1185/20 -, juris para. 155 ff.; LG Munich I, judgment of December 9, 2021 - 31 O 16606/20 -, juris para. 45; OLG Dresden, judgment of November 30, 2021 - 4 U 1158/21 -, juris para. 13; Frankfurt Higher Regional Court, judgment of April 14, 2022 - 3 U 21/20 -, juris para. 58; see also Quaas, loc.cit., Art. 82 para. 34.1; Leibold, in: ZD-Aktuell 2021, 05146; ZD-Aktuell 2021, 05043; ZD-Aktuell 2022, 01092; ZD 2022, 18.

A referral to the European Court of Justice pursuant to Article 267 (1) and (2) of the Treaty on the Functioning of the European Union (TFEU) on the question of the requirement for a de minimis and materiality threshold and on the deterrent function of damages is not required - regardless of the fact that the court adjudicating under Article 267 (3) TFEU is not obliged to refer anyway - according to the above statements. For the same reasons, a suspension of the procedure according to § 94 VwGO is not appropriate.

The interest claim regarding the main claim is based on Section 288 Paragraph 1, Section 286 Paragraph 1 of the German Civil Code (BGB), since the defendant was in default. Due to the violation of the GDPR, the plaintiff had an effective, due, undisputed claim under Art. 82 GDPR for payment of compensation for pain and suffering from the defendant. The plaintiff requested the defendant to pay by setting a deadline of July 23, 2019 and stating a specific amount. The defendant has therefore been in default since July 24, 2019.

The additional pre-court attorney's fees claimed by the plaintiff are justified in the tenored scope of Art. 82 (1) GDPR in conjunction with the principles developed for Section 249 (1) BGB. The use of a lawyer was necessary and expedient for the plaintiff to enforce his claim for damages under Art. 82 Para. 1 DSGVO in view of the difficult and confusing legal situation. However, the pre-court attorney's fees are not to be calculated on the basis of the item's value of EUR 3,000.00. Rather, the claim is to be based on the value that corresponds to the justified claim for damages. This is 1,000.00 euros here. According to this, the plaintiff is entitled to reimbursement of pre-trial legal fees of EUR 81.68 (0.65 business fee no. 2300 VV RVG of EUR 57.20, flat rate no. 7002 VV RVG of EUR 11.44, sales tax no. 7008 VV RVG of EUR 13.04),

cf. OLG Frankfurt, judgment of April 14, 2022 - 3 U 21/20 -, juris para. 59 ff.

The claim for interest with regard to the ancillary claim for the pre-court attorney's fees is based on §§ 291, 288 Para. 1 Sentence 2 BGB analogously. The lis pendens occurred before the District Court of Düsseldorf in accordance with § 261 Paragraph 1, § 253 Paragraph 1 ZPO with the delivery of the statement of claim to the Federal Office of Administration of the defendant on October 21, 2020. The effects of lis pendens remain in effect even after the procedure has been referred, Section 17b (1) sentence 2 GVG.

The interest accrual begins analogous to Section 187 (1) BGB on the day after the action is served, in this case on October 22, 2020.

The decision on costs is based on Section 155 (1) sentence 1 Var. 2 VwGO.

The decision on the provisional enforceability follows from Section 167 Paragraph 1 Sentence 1 VwGO in conjunction with Section 708 No. 11, Section 711 ZPO.

The appeal is to be allowed according to §§ 124a paragraph 1 in conjunction with 124 paragraph 2 number 3 VwGO due to the fundamental importance of the legal matter.

Instructions on Right of Recourse

Those involved are entitled to appeal against this judgment to the Higher Administrative Court for the state of North Rhine-Westphalia. The appeal must be lodged in writing with the Cologne Administrative Court, Appellhofplatz, 50667 Cologne, within one month of the delivery of the full judgment. It must designate the contested judgment.

The appeal must be justified within two months after delivery of the complete judgment. The justification must be submitted in writing or as an electronic document in accordance with § 55a VwGO and the ERVV to the Higher Administrative Court, Aegidiikirchplatz 5, 48143 Münster, unless it is submitted at the same time as the appeal is lodged; it must contain a specific application and the reasons for the challenge (reasons for appeal) to be given in detail.

We would like to point out that from January 1, 2022, lawyers, authorities and legal entities under public law will be obliged to transmit documents as electronic documents in accordance with §§ 55a, 55d Administrative Court Code - VwGO - and the regulation on the technical framework conditions for electronic legal transactions and on the special electronic official mailbox (Electronic Legal Transactions Ordinance - ERVV).

Before the Higher Administrative Court and in procedural acts that initiate proceedings before the Higher Administrative Court, each party involved must be represented by a legal representative. Lawyers or legal teachers at a state or state-recognized university in a member state of the European Union, another state party to the Agreement on the European Economic Area or Switzerland who are qualified to hold judicial office are authorized to act as legal representatives. In addition, the persons who are otherwise designated in § 67 Para. 4 of the Administrative Court Code are admitted.

The appeal should be submitted in duplicate. If an electronic document is submitted, no copies are required.

Furthermore, without the participation of the honorary judges, the

decision

The value of the disputed item is increased

€3,000.00

fixed.

Reasons:

The fixed amount corresponds to the amount of the monetary benefit in dispute (§ 52 Para. 3 GKG).

Instructions on Right of Recourse

Complaints against this decision can be lodged in writing or for the record with the clerk of the office at the Cologne Administrative Court, Appellhofplatz, 50667 Cologne.

The complaint must be lodged within six months after the decision on the main matter has become final or the proceedings have otherwise been resolved. If the amount in dispute has been determined later than one month before the end of this period, it can still be filed within one month after the delivery or informal notification of the determination resolution.

We would like to point out that from January 1, 2022, lawyers, authorities and legal entities under public law will be obliged to transmit documents as electronic documents in accordance with §§ 55a, 55d Administrative Court Code - VwGO - and the regulation on the technical framework conditions for electronic legal transactions and on the special electronic official mailbox (Electronic Legal Transactions Ordinance - ERVV).

The complaint is only admissible if the value of the object of the complaint exceeds 200 euros.

The notice of appeal should be submitted in duplicate. If an electronic document is submitted, no copies are required.